SUMMARY: TSS | ECID | T8101 | X86_64 | Downgrade | IPSW | iPhone 12 aka 13,1 | SRD0037 | declined to sign downgrade request || Workaround Posted

[xsscx]

TSS | ECID | T8101 | X86_64 | Downgrade | IPSW | iPhone 12 aka 13,1 | declined to sign downgrade request

TSS is Declining to Sign an IPSW when attempting to Update 0x1418da3cc0013a with Apple M1 when using macOS 11.6.2 (20G314) with the typical Message: boo hoo

TSS is Permitting an IPSW Signing with Intel X86_64 when using macOS 12.1 (21C62).

This was the same behavior with the original iPhone 11 for SRDC 2021. At Shipping, TSS worked on X86_64 but not on T8101. Resolution was approximately 60 days.

Notification sent via e-mail 20-Dec-2021

[xsscx]

#6

[xsscx]

Still AFU - More Details in #6

[xsscx]

Workaround for iPhone 12 IPSW Downgrade from iOS 15.3 Beta 19D5026g to iOS 15.2 19C56

Workaround for Downgrade of IPSW for iPhone 12 using Finder and srdutil.

It has been found that when using srdutil and then Finder a successful Downgrade for the iPhone 12 can be performed as shown below:

[08:14:59.6816] Successfully applied power assertion
[08:14:59.6817] requested variant: Research Customer Erase Install (IPSW)
[08:14:59.6818] amai: AMAuthInstallBundleCopyBuildIdentityForVariant: searching for variant Research Customer Erase Install (IPSW) (0 recovery)
[08:14:59.6886] amai: AMAuthInstallBundleCopyBuildIdentityForVariant: No baseband chipid reported. Will match Build Identity based on ap chipid, boardid, and secdomain only.
[08:14:59.6886] amai: AMAuthInstallBundleCopyBuildIdentityForVariant: AMAuthInstallBundleCopyBuildIdentityForVariant: Found variant: Research Customer Erase Install (IPSW)
[08:14:59.6913] Automatically set FormatForAPFS => True and FormatForLwVM => False.
...
[08:14:59.7060] requested variant: Research Customer Erase Install (IPSW)
[08:14:59.7060] amai: AMAuthInstallBundleFDRSupported: FDR is supported for this device
[08:14:59.7061] personalizing: <AMAuthInstall 0x7fd44ff94d70>{ap=(personalize=YES d53gap ecid=0x1418da3cc0013a, chipid=0x8101, boardid=0xc, secDom=1, isProduction=YES, EPRO=YES, isSecure=YES, ESEC=YES, img4=YES, demotionPolicy=, managedBaaCert=NO, slowRollBaaCert=NO, nonce=0xa0ed6adc9e3bbf214ffc0c8a23f075bb085e49149ad1462e87e80f09b77119b1, sepNonce=0x30fb9e956bdc2b6cbb20ac11ad3442923b94457d), bp=(personalize=YES), UserAuth=NO, iTunes=NO, server="http://gs.apple.com:80", locale=en_US, version="libauthinstall-850.0.2", platform=mac/21C52/Macmini8,1}
[08:14:59.7079] amai: _AMAuthInstallBundleShouldPersonalizeOS: Personalize OS = Yes
[08:14:59.7095] amai: _AMAuthInstallBundleShouldPersonalizeOS: Personalize OS = Yes

Reproduction | Workaround:
Via Terminal, execute:

defaults write com.apple.AMPDevicesAgent ipsw-variant -string 'Research Customer Erase Install (IPSW)'

Step 1. Start the Downgrade process using srdutil to Downgrade from iOS 15.3 Beta to iOS 15.2 Retail, allow the process to fail as shown below:

srdutil restore -vvv -s -D -e 0x1418da3cc0013a -i ~/Downloads/13-19C56.ipsw
[+] Patching PRKit with variant: "Research Developer Erase Install (IPSW)"
[+] Patching PRKit with IPSW: "/Users/xss/Downloads/13-19C56.ipsw"
[+] Dumping restore options
{
    AuthInstallVariant = "Research Developer Erase Install (IPSW)";
    AutoBootDelay = 0;
    CreateFilesystemPartitions = 1;
    FlashNOR = 1;
    NORImageType = production;
    RestoreBootArgs = "rd=md0 nand-enable-reformat=1 -progress";
    RestoreBundlePath = "file:///Users/xss/Downloads/13-19C56.ipsw";
    UpdateBaseband = 1;
}
[x] Waiting for device with ECID: 0x1418da3cc0013a to connect...
[x] Scanning for restorable devices...
[+] ECID: 0x1418da3cc0013a - connected
[+] ECID: 0x1418da3cc0013a - Sending device to recovery
[-] ECID: 0x1418da3cc0013a - disconnected
[+] ECID: 0x1418da3cc0013a - connected
[!] ECID: 0x1418da3cc0013a - target acquired - beginning restore
[ 100% ] Unrecognized operation (0)

[-!!-] Failed to restore!

Step 2. On your Screen, you should see the Finder pop up the Alert indicating your iPhone needs to be Restored, click Cancel declining to Restore.

Step 3. Using Finder, select the SRD iPhone, Press Option Key + Restore and select the IPSW for iPhone 12 Version 19C56, iOS 15.2 Retail, completing the typical Restore process.

Step 3. Upon Reboot, use Finder to Verify the IPSW Version as iOS 15.2 19C56

Step 4. Configure the SRD iPhone 12 and obtain IP Address for SSH

Step 5. Install and Verify a cryptex personalization

[example-cryptex] - Creating cryptex /Users/xss/security-research-device/example-cryptex/com.example.cryptex.cxbd - 1.3.3.7 from the disk image com.example.cryptex.dmg
[example-cryptex] - Installing /Users/xss/security-research-device/example-cryptex/com.example.cryptex.cxbd onto device: 00008101-001418DA3CC0013A
cryptexctl: cryptex not installed on device: com.example.cryptex
com.example.cryptex
  version = 1.3.3.7
  device = /dev/disk2s1
  mount point = /private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.oFLnkx

Step 6. Confirm SSH access and uname -a confirming the IPSW Restore with cryptex installation is completed.

date
Wed Jan 12 08:31:22 EST 2022
uname -a
Darwin iPhone 21.2.0 Darwin Kernel Version 21.2.0: Sun Nov 28 20:43:38 PST 2021; root:xnu-8019.62.2~1/RELEASE_ARM64_T8101 iPhone13,2 Toybox

EOF

[xsscx]

Knowledgebase

• https://github.com/apple/security-research-device/issues/51
• https://github.com/apple/security-research-device/issues/45
• https://github.com/apple/security-research-device/issues/35